Rancher Installation

This is a follow up to "RKE2 Ansible Installation" and assumes you're working on an RKE2 cluster similar to the one set up in that document.

Example commands and configs are for 3 masters, 3 workers and an additional jump node all running Ubuntu.

Example topology:

Name	IP
Master-01	10.40.140.4
Master-02	10.40.140.5
Master-03	10.40.140.6
Worker-01	10.40.140.7
Worker-02	10.40.140.8
Worker-03	10.40.140.9
Jump	10.40.140.10

ssh into the jump machine
```
ssh root@10.40.140.10
```
Enter the ssh password when prompted
Install kubectl if it's not already installed
```
sudo snap install kubectl --classic
```
Make sure we're using the correct kubeconfig
```
export KUBECONFIG=~/rke2.yaml
```

Confirm that our nodes and pods are correct and health

kubectl get nodes -o wide
kubectl get pods -A

Install Rancher on the RKE2 cluster

Install Helm
```
sudo snap install helm --classic
```

Add Helm chart repository (used latest here, can be latest, stable or alpha)

helm repo add rancher-latest https://releases.rancher.com/server-charts/latest

Create a namespace for Rancher
```
kubectl create namespace cattle-system
```

Using Rancher-Generated TLS Cert

Install cert-manager (needed if using Rancher-generated TLS cert or Let’s Encrypt)

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.11.0

Verify that cert-manager is deployed correctly

kubectl get pods --namespace cert-manager

Install Rancher with Helm
```
helm install rancher rancher-latest/rancher \
  --namespace cattle-system \
  --set hostname=10.40.140.8.nip.io \
  --set bootstrapPassword=admin \
  --set global.cattle.psp.enabled=false
```
- hostname should be the DNS name you pointed at your load balancer for the worker nodes, .nip.io can be added to the ip if there’s no DNS name
- global.cattle.psp.enabled is set to false due to the rancher helm chart requiring the deprecated podsecuritypolicy
Save the --set options used here, you will need to use the same options when you upgrade Rancher to new versions with Helm.

Wait for Rancher to be rolled out

watch kubectl -n cattle-system get pods

In a web browser navigate to the DNS name that points to your load balancer (ex: 10.40.140.8:nip.io), you should see the login page

Using your own Certs

Formatting Certs

It can cause complications while editing files on a machine running some form of Windows and uploading them to a Linux server. Windows-based text editors put special characters at the end of lines to denote a line return or newline. There is a simple way to correct this problem.

Install dos2unix and execute the command to convert line endings from DOS to Unix
```
sudo apt install -y dos2unix

dos2unix /path/to/file/<file-name>
```
Windows servers use .pfx files which contain the public and private key. However, this can also be converted to .pem files to be used on Linux server
```
openssl pkcs12 -in cert.pfx -nocerts -out tls.key -nodes
openssl pkcs12 -in cert.pfx -nokeys -out tls.crt
```

Validating Certs

Before you set up your certificates, it's a good idea to test them to ensure that they are correct and will work together.

Check to see if the private key and main certificate are in PEM format. openssl must be installed

sudo apt install openssl -y

openssl rsa -inform PEM -in /path/to/key/tls.key
openssl x509 -inform PEM -in /path/to/cert/tls.crt

Verify that the private key and main certificate match

openssl x509 -noout -modulus -in tls.crt | openssl md5
openssl rsa -noout -modulus -in tls.key | openssl md5

## The output of these two commands should be the same.

Verify that the public keys contained in the private key file and the main certificate are the same

openssl x509 -in tls.crt -noout -pubkey
openssl rsa -in tls.key -pubout

## The output of these two commands should be the same.

Check the validty of certificate chain

openssl verify -CAfile cacerts.pem tls.crt

# Response must be OK.

Check if Subject Alternative Names contains Common Name

Subject Alternative Name must contains the same value of the CN. If it does not, the certificate is not valid because the industry moves away from CN

openssl x509 -noout -subject -in tls.crt
# subject= /CN=<example.domain.com>
openssl x509 -noout -in tls.crt -text | grep DNS
# DNS:<example.domain.com>

Create Secrets and Install

Create tls-ca secret with your private CA's root certificate

kubectl -n cattle-system create secret generic tls-ca \
    --from-file=cacerts.pem=./cacerts.pem

Create cert and key secrets

kubectl -n cattle-system create secret tls tls-rancher-ingress \
    --cert=tls.crt \
    --key=tls.key

Install Rancher with Helm
```
helm install rancher rancher-latest/rancher \
    --namespace cattle-system \
    --set hostname=10.40.140.8.nip.io \
    --set bootstrapPassword=admin \
    --set global.cattle.psp.enabled=false \
    --set ingress.tls.source=secret \
    --set privateCA=true
```
- hostname should be the DNS name you pointed at your load balancer for the worker nodes, .nip.io can be added to the ip if there’s no DNS name
- global.cattle.psp.enabled is set to false due to the rancher helm chart requiring the deprecated podsecuritypolicy
Save the --set options used here, you will need to use the same options when you upgrade Rancher to new versions with Helm.

Cleanup

ssh into the Jump machine
```
ssh root@10.40.140.10
```
Make sure we're using the correct kubeconfig
```
export KUBECONFIG=~/rke2.yaml
```

Remove Rancher using helm

helm uninstall rancher -n cattle-system

Remove Helm repositories
```
helm repo remove jetstack
helm repo remove rancher-latest
```
Change rancher-latest with the version you used while installing (ex: stable, alpha)
Remove Helm
```
sudo snap remove helm
```